There are some limitations using Virtual Private Networking. With VPNs, the user on the client computer must explicitly launch the connection to the server. The server then authenticates the user and authorizes access to the internal network resources. Depending on the server policies, this can take some time. If the client loses its Internet connection for any reason, the user must manually reestablish the VPN connection. Show
Direct Access, on the other hand uses connections that the client computer establishes automatically and that are always on. As soon as the client computer connects to the Internet, it begins the Direct Access connection process. It also benefits you as network administrator. Direct Access connections are bidirectional, and Windows 7 clients establish their computer connections before the user even logs on to the system. This means that administrators can get access to the client computer at any time so they can apply Group Policy settings, deploy patches, or perform other upgrade and maintenance tasks. When a client connects to a Direct Access server, it creates two separate IPSec tunnels. The first connection uses a computer certificate and enables the client to access the Domain Name System (DNS) server and the Active Directory Domain Services (AD DS) domain controller on the intranet. With this access, the client can download Group Policy objects and initiate the user authentication process. The client then uses the second connection to authenticate the user account and access the intranet resources and application servers. Choosing an Access ModelThe access model you choose for your DirectAccess deployment specifies where on your intranet the IPSec encryption will terminate and how the traffic to and from the client will proceed once it passes through the DirectAccess server. The access model you choose for your deployment also specifies how the DirectAccess server will forward the client traffic to the resources on the intranet. Three access models are available. End-to-edge: Here DirectAccess clients establish tunnel mode connections to an IPSec gateway server, typically the computer functioning as the Direct Access server. The IPSec gateway server then forwards the client traffic, now protected by IPSec, to the application servers on the intranet. This model keeps IPSec traffic off of the intranet and enables you to use application servers that run Windows Server 2003, or any other operating system that supports IPv6. Modified end-to-edge: This model is identical to the end-to-edge model, except that it uses an additional IPSec tunnel that authenticates clients at the application server. Client traffic is therefore encrypted only as far as the IPSec gateway server, but it is authenticated all the way to the application server. The need for this additional authentication also makes it easier for administrators to limit client access to specific application servers. To use this model, application servers must be running Windows Server 2008 R2. All these model descriptions assume that the intranet applications and resources are all capable of supporting IPv6 connections to the DirectAccess server. If not so the intranet needs some kind of IPv4-to-IPv6 transition mechanism, such as ISATAP or a NAT-PT device. DirectAccess, also known as Unified Remote Access, is a VPN technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 "Enterprise" edition clients. In 2010, Microsoft Forefront Unified Access Gateway (UAG) was released, which simplifies[1] the deployment of DirectAccess for Windows 2008 R2, and includes additional components that make it easier to integrate without the need to deploy IPv6 on the network, and with a dedicated user interface for the configuration and monitoring. Some requirements and limitations that were part of the design of DirectAccess with Windows Server 2008 R2 and UAG have been changed (see requirements below). While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing internal UNIX and Linux servers through DirectAccess. With Windows Server 2012, DirectAccess is fully integrated into the operating system, providing a user interface to configure and native IPv6 and IPv4 support.[2] Technology[edit]DirectAccess establishes IPsec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still (mostly) relies on IPv4 traffic. All traffic to the intranet is encrypted using IPsec and encapsulated in IPv4 packets (if a native IPv6 connection cannot be established), which means that in most cases, no configuration of firewalls or proxies should be required.[3] A DirectAccess client can use one of several tunneling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the Internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead. In addition, Windows Server 2012 provides two backward compatibility services DNS64 and NAT64, which allows DirectAccess clients to communicate with servers inside the corporate network even if those servers are only capable of IPv4 networking. Due to the globally routable nature of IPv6, computers on the corporate network can also initiate a connection to DirectAccess clients, which allows them to remotely manage (Manage Out) these clients at any time.[4] Benefits[edit]DirectAccess can be deployed for multiple sites. It allows for a secure encrypted VPN. This is controlled through Group Policies which allows the administrator to maintain a secure network. Requirements[edit]DirectAccess With Windows Server 2008 R2 or UAG requires:
DirectAccess With Windows Server 2012 requires:
Smart card certificates, and health certificates for Network Access Protection may be used along with PKI. What kind of connectivity does DirectAccess provide between client computers and network resources?A: DirectAccess provides seamless and transparent, always on, bi-directional remote network connectivity for managed Windows clients. Administrators can manage clients when they are outside the network, and remote users can access internal network resources whenever they have an Internet connection.
How does DirectAccess handle encryption and authentication?DirectAccess provides a fully encrypted and authenticated mode of connection. It gives employees an authenticated IPSec encryption for integrity and confidentiality.
How does a DirectAccess client determine if it is connected to the intranet or the Internet?DirectAccess clients attempt to connect to the DirectAccess network location server in order to determine whether they are located on the Internet, or on the corporate network: If the connection is successful, then clients are determined to be on the intranet and DirectAccess is not used, and client requests are ...
How are the clients configured to use DirectAccess?Configure DirectAccess with the Getting Started Wizard
In Server Manager click Tools, and then click Remote Access Management. In the Remote Access Management console, select the role service to configure in the left navigation pane, and then click Run the Getting Started Wizard. Click Deploy DirectAccess only.
|
